oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] Re: [Security] [oss-security] R

Re: [oss-security] Re: [Security] [oss-security] Re: /proc infoleaks

From: Sebastian Krahmer <krahmer_at_nospam>
Date: Wed Sep 08 2010 - 06:52:38 GMT
To: oss-security@lists.openwall.com

On Tue, Sep 07, 2010 at 05:51:31PM -0400, Brad Spengler wrote:

>
> Definitely some work needs to be done here at the distro level, because
> it's pointless (as Enlightenment demonstrates) to hide /proc/kallsyms
> when /boot/System.map or /lib/modules are perfectly visible on any
> distro.
I agree that distros also have to do some homework there,
but there are things that we cant just do via init harden scripts.
Take /proc/pid/stack. Other files like my prefered friend /proc/net/netlink
gives info that allows exploitation-deluxe if you overwrite your socket destructor.

The list I have given was by no means complete (and even
didnt mean slabinfo will leak addresses, but was an example
of leaking other useful info) and I prefer an inventory
of 'problematic' /proc, /sys or whatever files if you speak
about inventory of programs using it.

> I know the impulse is to immediately copy what we're doing in
> grsecurity, but the reason we do some of the things in the way we do
Its always my first thought :)

> them is that we can be used on any distro and have no control over
> whatever distro that happens to be. We also support other features like
> PaX's KERNEXEC and UDEREF which make the symbol/address removal more
> useful. We're also able to make certain important assumptions about our
> users (eg. that they want security). So make sure you're thinking
> carefully about what you're trying to accomplish, why you're doing it,
> and how effective it will actually be given the (lack of) synergistic
> features at your present disposal, instead of jumping into cargo cult
> security.
Sure. It was just a proposal since I felt nobody really cared about
the low hanging fruits. It wont make your system rocket proof but
it makes some head-scratching for exploit developers which is
all you need if you make them stuck in doing that.

Sebastian

-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)